I'm trying to solve an api compliance problem. There are many externally facing api's in our organisation which are not following security standards. I want a automation to audit them and mark them according to compliance. I want to identify these Api''s
- Api's that do not have WAF( web application firewall) configured.
- Api's that do not have correct authorizer configured.
- Api's that use http.
I want to write some custom aws config rules(logic run in lambda) to identify these api's but the configuration item which we get from aws config regarding api gateway doesn't consist of my desired attributes( like protocol, waf etc) so that i'm not understanding how to write the custom logic.
I have tried custom aws config rules with lambda, there are no attributes that checks for my conditions. P.s: I'm new to cloud and cloud security, would love to learn from your answers.